From 60cf5ea297a17db861e73cd65d7b7862bd6bcc24 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 4 Dec 2025 08:46:11 +0100
Subject: Improve anonymous authentication logic (#8165)

* Improve anonymous authentication logic

* forgot to git add

* Fix incorrect token check

Because an empty parameter could be just passed if token for the user wasn't set: `&token=`
---
 lib/Minz/Request.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'lib/Minz')

diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index 3355058f1..0e8dc28d0 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -560,6 +560,22 @@ class Minz_Request {
 		return 'POST' === ($_SERVER['REQUEST_METHOD'] ?? '');
 	}
 
+	public static function tokenIsOk(): bool {
+		$token_param = self::paramString('token');
+		if ($token_param == '') {
+			return false;
+		}
+		$username = self::paramString('user');
+		if ($username == '') {
+			return false;
+		}
+		$conf = FreshRSS_UserConfiguration::getForUser($username);
+		if ($conf === null || !hash_equals($conf->token, $token_param)) {
+			return false;
+		}
+		return true;
+	}
+
 	/**
 	 * @return list<string>
 	 */
-- 
cgit v1.2.3